Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 10.4.2 Nested Folder Permissions

Aaron,

Thanks for the input! In fact, memberd -r does refresh the membership and shows the user's new group...See below as I run memberd -r after making jdoe a member of yearbook-editors.

homes:/var/log root# id jdoe
uid=17005(jessica17005) gid=20(staff) groups=20(staff), 1025(yearbook), 1031(ahs-students)
homes:/var/log root# memberd -r
homes:/var/log root# id jdoe
uid=17005(jessica17005) gid=20(staff) groups=20(staff), 1025(yearbook), 1026(yearbook-editors), 1031(ahs-students)
homes:/var/log root#

Unfortunately, even though the server now knows the correct group...this user *still* doesn't get access to the yearbook-editors folder. Though, after more than an hour, the user does gain access. Any idea what else might be in the middle of this?

I haven't modified /etc/memberd.conf yet. I figured memberd -r would force any updates necessary.

Dave Hunter




At 1:25 AM -0400 8/27/05, Aaron Rosenblum wrote:
10.4 uses something called memberd to cache group membership. It sometimes doesn't immediately recognize changes to groups. In fact, it can take hours for the group membership cache to be updated. You can try doing a "memberd -r" and see if it helps. You can also tweak the memberd.conf file in /etc. The times listed there are in seconds. You can make them shorter if you'd like.

Aaron

On Aug 26, 2005, at 6:06 PM, David B. Hunter wrote:

Question regarding folder access based on group membership:

I have three 10.4.2 servers with ACLs turned on.

1. auth -  OD Master
2. ns1 - DNS/DHCP, OD Replica
3. homes - home directoires, directory attached non-replica

I have a folder mounted at login for my users called "Classroom". Inside I have several folders nested for individual classes. A students group has R/O access to the folder and staff can R/W. I also have nested departmental folders that students selectively have access to based on the class they are taking and the group they are assigned to...

Classroom -> English-Dept -> Yearbook
Classroom -> English-Dept -> Yearbook-Editors

I have two groups of the same name applied each to Yearbook and Yearbook-Editors folders to allow access in addition to appropriate POSIX permissions.

the Yearbook and Yearbook-Editors groups have R/W privileges to Yearbook folder.

The Yearbook group has Write ONLY privileges to Yearbook-Editors folder and the Yearbook-Editors group has Read/Write privileges to Yearbook-Editors.

My problem is...when I add users to the various groups, they do not immediately have access to the folders. In fact, I have to reboot the home directory server in order for their group membership and subsequent access privileges to be recognized allowing (or dis-allowing as the case may be) access to the folders.

I have tried this with the homes server both standalone and as a replica. Same results. I've also tried adding users to the groups and doing a "lookupd -flushcache" on the homedir server -- no luck. Users logout, reboot and re-logon, no luck!

Any ideas on what is going on? Or of a command I can issue in the CLI to "refresh" the servers folder privileges based on the group memberships in the directory without a reboot?

Thanks for any advice!

David B. Hunter
Networking Specialist
South Bend Community School Corporation
South Bend, IN
email@hidden

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden

This email sent to email@hidden 

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden

This email sent to email@hidden
References: 
 >Fwd: 10.4.2 Nested Folder Permissions (From: "David B. Hunter" <email@hidden>)
 >Re: 10.4.2 Nested Folder Permissions (From: Aaron Rosenblum <email@hidden>)



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.